In other words, it is an LDAPMessage with messageID 1 and a SearchResultDone ([APPLICATION 5] { ... }) and a sequence of Controls ([0] { ... }).
However, the nesting is wrong - the Controls (starting at byte 22) are being encoded inside the SearchResultDone. That's not correct - they should be in the outer LDAPMessage instead. Something like this:
However I don't /think/ we should be barfing like that, as LDAP has built-in extensibility rules which state that clients/servers should try to ignore bits of unexpected data as long as they're in the "right place". IIRC you can put in custom stuff but only at the ends of certain structures and we should just ignore it. But even if we ignored it, we still wouldn't find Oracle's misplaced paged results control :-(
On 19 Jan 2012, at 12:39, John Devitofranceschi wrote:
> Two bugs! Such a deal!
No extra charge :-)
> Yes, the cookie setting code is in the while (1) loop and the callback merely prints out the dn of the returned entries.
You mentioned that the OpenLDAP ldapsearch command-line tool seemed to work. Can you double-check it is getting multiple pages back (try using pr=2/prompt), or whether it is stopping after the first page because of the misplaced result cookie?
The only other difference I can see between your ldapsearch args and your Net::LDAP code is that the control's criticality is different. Does varying that affect things?
> Thanks very much for the quick analysis. I'll need to add dumpasn1 to my bag of tricks!
You can get Net::LDAP to output something similar to dumpasn1's using $ldap->debug(8). The value is a bitmask, and the bits are described in the Net::LDAP man page. But dumpasn1 is a handy tool to have around anyway.
On Jan 19, 2012, at 8:21, Chris Ridd <chrisr...@mac.com> wrote:
> On 19 Jan 2012, at 12:39, John Devitofranceschi wrote:
>> Two bugs! Such a deal!
> No extra charge :-)
>> Yes, the cookie setting code is in the while (1) loop and the callback merely prints out the dn of the returned entries.
> You mentioned that the OpenLDAP ldapsearch command-line tool seemed to work. Can you double-check it is getting multiple pages back (try using pr=2/prompt), or whether it is stopping after the first page because of the misplaced result cookie?
OpenLDAP's ldapsearch works as expected. Multiple pages get returned.
> The only other difference I can see between your ldapsearch args and your Net::LDAP code is that the control's criticality is different. Does varying that affect things?
Changing the criticality makes no difference in either case. It either continues to work in the ldapsearch case or continues to fail in the perl-ldap case.
>> Thanks very much for the quick analysis. I'll need to add dumpasn1 to my bag of tricks!
> You can get Net::LDAP to output something similar to dumpasn1's using $ldap->debug(8). The value is a bitmask, and the bits are described in the Net::LDAP man page. But dumpasn1 is a handy tool to have around anyway.
> On Jan 19, 2012, at 8:21, Chris Ridd <chrisr...@mac.com> wrote:
>> On 19 Jan 2012, at 12:39, John Devitofranceschi wrote:
>>> Two bugs! Such a deal!
>> No extra charge :-)
>>> Yes, the cookie setting code is in the while (1) loop and the callback merely prints out the dn of the returned entries.
>> You mentioned that the OpenLDAP ldapsearch command-line tool seemed to work. Can you double-check it is getting multiple pages back (try using pr=2/prompt), or whether it is stopping after the first page because of the misplaced result cookie?
> OpenLDAP's ldapsearch works as expected. Multiple pages get returned.
That's puzzling, and suggests my analysis is wrong. Can you get some (snoop/tcpdump) packet traces from ldapsearch and perl up to and including the first page search done? It'll have passwords and your data in so if you want to send them off-list that's fine.
> On 19 Jan 2012, at 14:00, John Devitofranceschi wrote:
>> On Jan 19, 2012, at 8:21, Chris Ridd <chrisr...@mac.com> wrote:
>>> On 19 Jan 2012, at 12:39, John Devitofranceschi wrote:
>>>> Two bugs! Such a deal!
>>> No extra charge :-)
>>>> Yes, the cookie setting code is in the while (1) loop and the callback merely prints out the dn of the returned entries.
>>> You mentioned that the OpenLDAP ldapsearch command-line tool seemed to work. Can you double-check it is getting multiple pages back (try using pr=2/prompt), or whether it is stopping after the first page because of the misplaced result cookie?
>> OpenLDAP's ldapsearch works as expected. Multiple pages get returned.
> That's puzzling, and suggests my analysis is wrong. Can you get some (snoop/tcpdump) packet traces from ldapsearch and perl up to and including the first page search done? It'll have passwords and your data in so if you want to send them off-list that's fine.
Just to follow up on-list - the snoops that John sent me both showed that Oracle consistently sends the paged results control in the wrong place. Wireshark also complained.
Unless Oracle's shipping a version of ldapsearch that reads the control from the wrong place and counteracts their server bug, I'm puzzled how John's ldapsearch works.
>> On 19 Jan 2012, at 14:00, John Devitofranceschi wrote:
>>> On Jan 19, 2012, at 8:21, Chris Ridd <chrisr...@mac.com> wrote:
>>>> On 19 Jan 2012, at 12:39, John Devitofranceschi wrote:
>>>>> Two bugs! Such a deal!
>>>> No extra charge :-)
>>>>> Yes, the cookie setting code is in the while (1) loop and the callback merely prints out the dn of the returned entries.
>>>> You mentioned that the OpenLDAP ldapsearch command-line tool seemed to work. Can you double-check it is getting multiple pages back (try using pr=2/prompt), or whether it is stopping after the first page because of the misplaced result cookie?
>>> OpenLDAP's ldapsearch works as expected. Multiple pages get returned.
>> That's puzzling, and suggests my analysis is wrong. Can you get some (snoop/tcpdump) packet traces from ldapsearch and perl up to and including the first page search done? It'll have passwords and your data in so if you want to send them off-list that's fine.
> Just to follow up on-list - the snoops that John sent me both showed that Oracle consistently sends the paged results control in the wrong place. Wireshark also complained.
> Unless Oracle's shipping a version of ldapsearch that reads the control from the wrong place and counteracts their server bug, I'm puzzled how John's ldapsearch works.
> Chris
Actually, that ldapsearch is from Openldap on Redhat Linux.
